https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755612#M242953 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274090">@DarthHerm</a>&nbsp;</P><P>I started to look into this but hit a stumbling block.</P><P>You can get a subquery to return an OR using the 'return' command, such as:</P><LI-CODE lang="markup">| makeresults count=2 | eval product=123 | streamstats count as CandyNoteInfoId | return 100 CandyNoteInfoId</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1763420106129.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/40839i61DABCF4BC11A8C7/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1763420106129.png" alt="livehybrid_0-1763420106129.png" /></span></P><P>&nbsp;</P><P>You would ensure that the fieldname returned matches the field in your wider search and then apply this as a subsearch by placing in square braces ([ ]) as part of your main search - however in your data I cannot see a&nbsp;<SPAN>CandyNoteInfoId field, I can only see it as part of an object with the name and value in different fields as&nbsp;parameters{}.name, is that right?&nbsp;</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 17 Nov 2025 23:05:52 GMT livehybrid 2025-11-17T23:05:52Z https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755607#M242952 <P>Hopefully this makes some sense.&nbsp;&nbsp;<BR /><BR />I am working on a dashboard that pulls up activity when someone clicks on the details on a note.&nbsp; The event log lists the note id number but it not tied to the product page the user is on.&nbsp;<BR /><BR />Leveraging dbxquery, I have a query that generates me the Note Ids for the Product page. Pending on the product, there could be just a handful or several hundred.&nbsp;</P><P>with the results of the dbxquery, is it possible to take those results and have it as a large OR statement? I considered making the noteid as a seperate drop down in my dashboard but the problem with multiple hundred notes to a specific product makes it difficult. I want to in the dashboard to show when a user with the product selected to see when they clicked on the details of that product's notes. Right now I have it show all the notes a user pulls up.&nbsp;<BR /><BR />dbxquery (sanitzed)<BR />| dbxquery query="SELECT o.[CandyNoteInfoId] ,n.[CandyNoteId] ,o.[ProductId] ,o.[NoteTypeId] ,o.[StaffId] as userId ,o.[UpdateUserId] ,n.[Details] FROM [DataBase_Name].[ind].[CandyNoteInfo] o left join [DataBase_Name].[ind].[CandyNote] n on o.[CandyNoteInfoId] = n.[CandyNoteInfoId] where ProductId = 12345" connection="Confection"<BR />|stats count by CandyNoteInfoId<BR /><BR />Current search without the DBXquery results.&nbsp;<BR />index="index_name" userName=pvenkman module="Vendor.Product.BLL.Candy" storedProcedureName=CandyNoteInfoGetById<BR />| dedup _time<BR />| eval newtime=strftime(_time,"%b %d, %Y %I:%M:%S %p %Z")<BR />| table newtime userName serverHost CandyNoteInfoId storedProcedureName<BR />| rename newtime AS "Date and time" userName AS "Username" serverHost AS "Atlas server" CandyNoteInfoId AS "SQL Candy note info id number" storedProcedureName AS "Stored procedure name"<BR /><BR /><BR /></P><P>Raw text of event log (sanitized)</P><P>{"auditResultSets":null,"schema":"ind","storedProcedureName":"CandyNoteInfoGetById","commandText":"ind.CandyNoteInfoGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@CandyNoteInfoId","value":15979125}],"serverIPAddress":"000.000.000.000","serverHost":"webserver","clientIPAddress":"111.111.111.111","sourceSystem":"WebSite","module":"Vendor.Product.BLL.Candy","accessDate":"2025-11-14T12:52:15.1335635-07:00","userId":1984,"userName":"pvenkman","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.Client.NotesDetails","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.Candy.CandyNoteInfoManager","method":"Get"}]}<BR /><BR />Syntax highlighted<BR />{ [-]<BR />auditResultSets: null,<BR />schema: "ind",<BR />storedProcedureName: "CandyNoteInfoGetById",<BR />commandText: "ind.CandyNoteInfoGetById",<BR />Locking: null,<BR />commandType: 4,<BR />parameters: [ [-]<BR />{ [-]<BR />name: "@RETURN_VALUE",<BR />value: 0<BR />},<BR />{ [-]<BR />name: "@CandyNoteInfoId",<BR />value: 15979125<BR />}<BR />],<BR />serverIPAddress: "000.000.000.000",<BR />serverHost: "webserver",<BR />clientIPAddress: "111.111.111.111",<BR />sourceSystem: "WebSite",<BR />module: "Vendor.Product.BLL.Candy",<BR />accessDate: "2025-11-14T12:52:15.1335635-07:00",<BR />userId: 1984,<BR />userName: "pvenkman",<BR />traceInformation: [ [-]<BR />{ [-]<BR />type: "Page",<BR />class: "Vendor.Product.Web.UI.Website.Client.NotesDetails",<BR />method: "Page_Load"<BR />},<BR />{ [-]<BR />type: "Manager",<BR />class: "Vendor.Product.BLL.Candy.CandyNoteInfoManager",<BR />method: "Get"<BR />}<BR />]<BR />}</P> Mon, 17 Nov 2025 22:15:34 GMT https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755607#M242952 DarthHerm 2025-11-17T22:15:34Z https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755612#M242953 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274090">@DarthHerm</a>&nbsp;</P><P>I started to look into this but hit a stumbling block.</P><P>You can get a subquery to return an OR using the 'return' command, such as:</P><LI-CODE lang="markup">| makeresults count=2 | eval product=123 | streamstats count as CandyNoteInfoId | return 100 CandyNoteInfoId</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1763420106129.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/40839i61DABCF4BC11A8C7/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1763420106129.png" alt="livehybrid_0-1763420106129.png" /></span></P><P>&nbsp;</P><P>You would ensure that the fieldname returned matches the field in your wider search and then apply this as a subsearch by placing in square braces ([ ]) as part of your main search - however in your data I cannot see a&nbsp;<SPAN>CandyNoteInfoId field, I can only see it as part of an object with the name and value in different fields as&nbsp;parameters{}.name, is that right?&nbsp;</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 17 Nov 2025 23:05:52 GMT https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755612#M242953 livehybrid 2025-11-17T23:05:52Z https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755617#M242954 <P>You can get the format statement to create an OR query with a multivalue field, is this something you can use</P><LI-CODE lang="markup">... | stats values(CandyNoteInfoId) as search | format</LI-CODE> Tue, 18 Nov 2025 00:20:19 GMT https://community.splunk.com/t5/Splunk-Search/OR-statement-with-results-from-DBXquery/m-p/755617#M242954 bowesmana 2025-11-18T00:20:19Z